Ledger Chief Security Officer Charles Guillemet gave a shocking presentation at the MIT Bitcoin Expo this week in which he presented alleged vulnerabilities with the hardware cryptocurrency wallet produced by Trezor – perhaps its top competitor. Trezor argues in a new blog post that all of the attack vectors mentioned are not exploitable remotely.

Trezor particularly took umbrage to the disclosure of an existing chip vulnerability, saying:
“[W]e were surprised by Ledger’s announcement of this issue, especially after being explicitly asked by Ledger not to publicize the issue, due to possible implications for the whole microchip industry, beyond hardware wallets, such as the medical and automotive industries. Since Ledger is in talks with the chip manufacturer (ST) at the moment, we will also refrain from divulging any critical information, save for the fact that this attack vector is also resource-intensive, requiring laboratory-level equipment for manipulations of the microchip as well as deep expertise in the subject.”

After all, even major cryptocurrency exchanges are known to use hardware wallets for cold storage. Even if it requires “laboratory level” equipment and extreme knowledge, the jackpot is big enough that attacks could take place if people learn how to do them.

Guillemet noted a number of attack vectors for hardware wallets, one of which is a “supply chain attack.” A supply chain attack involves compromising the device itself, en route to the customer. Ledger’s CSO claims that Trezor is aware they have had counterfeiting of their products.

Guillemet says:“But why does it matter? It does matter because in this white device, I could insert some kind of backdoor. You can backdoor the device in many different ways.”

This is definitely an area where more research needs to be done to ensure that the data is being protected to ensure people would not lose their funds. In any sort of fledgling market, it is extremely important to ensure people that their investment is safe. Without that, people, businesses and governments will be afraid to invest their hard earned funds into any sort of project. More shockingly, if exchanges are using these wallets to store funds, this could be a huge black eye if hacked.

The problem will exist until such a time that people somehow make their own hardware wallets at home. Even then, as Trezor says:

“No hardware is unhackable, and depending on what your security model is, there are tools which you can use to mitigate threats. […] Besides, if one has sufficient capital, time, and resources, no hardware barriers will stand against their attacks.”

While this statement may be true, making it as absolutely difficult as possible is the key. There may be vulnerabilities but it is crucial to eliminate as many flaws as possible.